Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root accounts via Delegated Administrator

[farrantch]

Allow CodePipeline to deploy SERVICE_MANAGED StackSets in non-root accounts via Delegated Administrator

Scope of request

CloudFormation recently added support do deploy StackSets via Delegated Administrator. However when deploying via CodePipeline, the following error is given (despite having already delegated access):

An API call to CloudFormation.CreateStackSet returned a ValidationError error: You must be the master or delegated admin account of an organization before operating a SERVICE_MANAGED stack set

This prevents us from managing our organization's StackSets from a non-root account.

Expected behavior

CodePipeline is successfully able to deploy a SERVICE_MANAGED StackSet from a non-root account.

Helpful Links

CodePipeline StackSet deployment documentation: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-StackSets.html#action-reference-StackSet

CloudFormation Delegated Administrator announcement: https://aws.amazon.com/blogs/mt/cloudformation-stacksets-delegated-administration/

Categories

Management - CloudFormation StackSets Developer Tools - CodePipeline

[jfoy]

Maybe related to #799

[PCIS-Paul]

Has anyone verified if #799 being implemented has also enabled this functionality?

[cdsnaps]

This one needs to be re-opened, as #799 did not address the issue.

[laurentleonard]

Our organization is more than interested by this functionality. We are managing more than 500 accounts and we have to deploy different resources in different OUs. And we do not want to automate that work directly in the organization account.

[dannyburke1]

I got around this with:

   stackSetName: `cdkCodeBuildTest`,
        permissionModel: 'SERVICE_MANAGED',
        callAs: 'DELEGATED_ADMIN',

Also bumping the permissions of the execution role running this stack in.

[PCIS-Paul]

@dannyburke1 are you saying the CallAs configuration parameter is accepted in the CodePipeline Cloudformation StackSet deploy action type? It is not in the docs. Or are you referring to the CallAs attribute added to the StackSet cloudformation resource, which was the resolution of #799 ?

[dannyburke1]

@PCIS-Paul its the CDK CloudFormation StackSet resource. I don't think you can use the action type in CDK yet.

[afllanos]

Hi, at our company we are interested in this issue. Please, provide support in CodePipeline for StackSet execution in delegated administration accounts

[bpal410]

Very interested in status of this. Would like to set up pipelines to push StackSets to OUs without developing in root/org account.

[akshay0808]

Any updates on this issue? Showstopper for us

[niklas-palm]

Is this being worked on at the moment?

[cmaxwellau]

BUMP! any update @brianterry? My workaround is to wrap the stackset definition in a cloudformation template and then use the cloudformation deploy action instead.

[ronan-cunningham]

PLEASE, PLEASE, PLEASE fix this issue.

[nojokebucko]

It's frustrating that this issue is still not fixed. It's been two years

[bsnyder74]

I am experiencing this issue as well. Requiring customers to deploy stack sets via Code Pipeline from the management account is poor form, and does not follow a well-architected solution in my opinion. As the last person mentioned, this is still an issue and it has now been almost 2.5 years. I even opened a new support case today to discuss this issue.
At this point, can we get any commitment that this critical item will be prioritized and resolved soon?

[ronan-cunningham]

Still no update on this?

[mdgm88]

Any update on this? Needing to get the pipeline to deploy a CF stack which then deploys the StackSets shouldn't be necessary, and it's bad practice to deploy more than necessary directly in the organisation account.